Another infected device

Recently we released a product especially for netbooks, so we’re performing compatibility tests on newly released netbooks in an ongoing way. The other day we bought a brand new M&A Companion Touch to test. After initial checks, the testing group contacted me since they suspected a malware infection. Could this be yet another example of a factory-infected device?

A scan detected the following malware: Worm.Win32.AutoRun.aayn, Rootkit.Win32.Agent.hwq and Packed.Win32.Krap.g. For anyone interested, here are the MD5s:

Worm.Win32.Autorun.aayn: 0x4f90e62489e5a891a1d9520408164b8c
Rootkit.Win32.Agent.hwq: 0x7f289b08a41ef6c26b684dc4d95028ee
Packed.Win32.Krap.g: 0x1928c09bdb7d2c7d1180bf2105e1315a

After some analysis I was able to determine that these files had been present since February 2009, a long time before we got the netbook.

The AutoRun worm spreads to removable devices, exploiting weaknesses in how Microsoft implemented the functionality. I blogged about the problem over at zdnet. What probably happened is that somebody used an infected USB stick and hooked it up to the machine while installing some drivers for it.

The true purpose of this worm is to steal passwords for a number of online games, such as Lord of the Rings and Maple Story. It also uses a special downloader mechanism. The PE files are encoded and pre-pended by a fake RAR header to fool security solutions. We detect such ‘malformed’ files as Trojan.Win32.Ramag.

This case shows once again that even brand new products can leave the factory infected. Safeguarding against infected new devices is particularly difficult. Doing an offline scan with an up to date security solution normally is the most effective solution. As there will have been a time lapse between the device getting infected and you getting your hands on it, your security solution should have no problem detecting the malware.

Naturally, we’ve informed M&A of our findings – but since the device is out there, we are also warning users.